QR codes – next big thing or a fresh opportunity for internet criminals?

PC and Mobile security experts BullGuard have urged caution over the use of QR Codes on smartphones, claiming that they could become a likely target for hackers and malicious users looking to steal your personal data in 2012.

The strange black squares that have been cropping up in increasing numbers in magazines and newspapers; on posters, tickets and websites are likely to become even more commonplace this year with many companies utilising them in increasing numbers, but presuming they are harmless could be playing into the hands of cyber criminals, says BullGuard.

According to a study by Chadwick Martin Bailey, around half of the 1,200 consumers surveyed interacted with a QR code when they saw one, with 21% then going on to share personal information. Curiosity and information-gathering were the primary reasons for wanting to scan a code, and the promise of discounts and special offers seemed to be the most effective way to generate interest.

“Primarily, QR (Quick Response) Codes are yet another way to expand the range of functionality available on smartphones, and provided a device has a QR Code reader installed, many of which are available for free, it takes just seconds to scan a code using the phone’s camera and have it direct you to a product or service” says Claus Villumsen, CTO at BullGuard. “While these are primarily used as a marketing tool for advertisers so that customers can get more information on products or services, cybercriminals know that services that pique interest or offer “special deals” are often prime targets for spreading malware, stealing identities and phishing for personal information. In other words, QR codes make things run faster and easier, but they can also pose a threat to your mobile security.”

A QR matrix barcode can store alphanumeric characters in the form of text or URLs – all you need to “visualize” such a code is a smartphone with a camera and a QR reader application to scan it. The code would typically direct you to a website, though can also promote online videos, send text messages and e-mails, or install and launch apps.

Fast, easy and very popular, QR codes are clearly a convenient way to stay informed anytime, anywhere. But the downside is that you often don’t know the content of a QR code until you scan it. For this very reason you should take the same degree of care when scanning a QR code as you would when downloading an unknown file on the internet. Cyber-attackers might use these codes to redirect you to malicious websites that ask you to download applications that may be infected with malware. These, in turn, could:

Make your calendar, contacts and credit card information (if you shop or bank online using your smartphone) visible to cybercriminals.

Attempt to steal your Google or Facebook password – many apps are integrated with various social networks. As a result, some users may enter their information without suspecting that it is being sent to an illegitimate source.

Track your location.

Install keylogging software.

Send an SMS to a premium number, racking up your phone bill.

“Jailbreak” a device and distribute additional malware.

Redirect users to malicious applications.

Care about your mobile security? Stay away from malicious QR codes!

One notable attack via QR code took place in Russia in 2011, and involved a Trojan disguised as a mobile app called Jimm. Once installed, “Jimm” started to send a series of expensive text messages (which cost $6 each), racking up unwanted charges. This is just one of the ways malicious users can take advantage of these codes in order to gain control over a smartphone, so it goes without saying that users should take particular care of what they’re scanning and be aware of what they’re expecting to find.

Here’s some practical advice on how to spot and avoid malicious QR codes:

Educate children on the nature of QR codes – with many youngsters now sporting smartphones it could be all too tempting for them to scan these codes simply out of curiosity, which could leave them at risk of attacks similar to those described above. Better yet, installing a mobile security suite can help protect them against hidden threats, offering you significant peace of mind.

Don’t scan QR codes in the form of stickers placed randomly on walls or billboards. QR codes can be generated by anybody and placed in public places with the intention of peaking an individual’s curiosity, and unless the message gets out there that these may not all be from legitimate sources, scammers will look to take advantage of this relatively new technology to further their own ends.

Be extra careful if your smartphone works on the Android mobile operating system. Android is an open platform, which means that its source code can be examined by criminals and exploited more easily when they find a weakness in, for example, the Android browser. That’s why most malicious apps transmitted via QR codes target the Android-based smartphones. So, make sure your Android browser is always up-to-date and only scan QR codes from trusted sources.

Be particularly wary of QR codes that are linked to monetary and transaction services – these direct links to money are typically prioritised by malicious third parties when choosing how and where to attack.

Consider installing a mobile security app. An efficient mobile security suite, like BullGuard Mobile Security 10, can protect you from all current mobile threats, such as viruses, worms, Trojans, spyware and other malware that can be transmitted via QR codes. BullGuard Mobile Security 10 comes with powerful antivirus tools that run silently in the background, and a Security Manager that enables you to edit the Antitheft and Parental Control settings.